HerQules: Securing Programs via Hardware-Enforced Message Queues Daming D. Chen Wen Shih Lim Mohammad Bakhshalipour Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Pittsburgh, Pennsylvania, USA Pittsburgh, Pennsylvania, USA Pittsburgh, Pennsylvania, USA [email protected] [email protected] [email protected] Phillip B. Gibbons James C. Hoe Bryan Parno Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Pittsburgh, Pennsylvania, USA Pittsburgh, Pennsylvania, USA Pittsburgh, Pennsylvania, USA [email protected] [email protected] [email protected] ABSTRACT KEYWORDS Many computer programs directly manipulate memory using unsafe control-flow integrity, pointer integrity, memory safety, inter-process pointers, which may introduce memory safety bugs. In response, communication, compiler, kernel, shared memory, FPGA, microar- past work has developed various runtime defenses, including mem- chitecture ory safety checks, as well as mitigations like no-execute memory, ACM Reference Format: shadow stacks, and control-flow integrity (CFI), which aim to pre- Daming D. Chen, Wen Shih Lim, Mohammad Bakhshalipour, Phillip B. Gib- vent attackers from obtaining program control. However, software- bons, James C. Hoe, and Bryan Parno. 2021. HerQules: Securing Programs based designs often need to update in-process runtime metadata via Hardware-Enforced Message Queues. In Proceedings of the 26th ACM In- to maximize accuracy, which is difficult to do precisely, efficiently, ternational Conference on Architectural Support for Programming Languages and securely. Hardware-based fine-grained instruction monitoring and Operating Systems (ASPLOS ’21), April 19–23, 2021, Virtual, USA. ACM, avoids this problem by maintaining metadata in special-purpose New York, NY, USA, 16 pages. https://doi.org/10.1145/3445814.3446736 hardware, but suffers from high design complexity and requires significant microarchitectural changes. 1 INTRODUCTION In this paper, we present an alternative solution by adding a fast Many computer programs directly access memory using unsafe hardware-based append-only inter-process communication (IPC) pointers, which may unintentionally dereference memory that is primitive, named AppendWrite, which enables a monitored pro- out-of-bounds or that has been deallocated. For example, a buffer gram to transmit a log of execution events to a verifier running in a overflow occurs when memory outside a referenced buffer is ac- different process, relying on inter-process memory protections for cessed, whereas a use-after-free error occurs when deallocated mem- isolation. We show how AppendWrite can be implemented using ory is accessed. Attackers can leverage these memory safety bugs to an FPGA or in hardware at very low cost. Using this primitive, we corrupt program execution, by intentionally overwriting memory design HerQules (HQ), a framework for automatically enforcing that contains function pointers or program data. In response, run- integrity-based execution policies through compiler instrumenta- time defenses have been developed to detect these bugs or mitigate tion. HerQules reduces overhead on the critical path by decoupling corruption; e.g., by tracking allocation boundaries [10, 38, 60, 76], program execution from policy checking via concurrency, without temporal identifiers [77], tainted values [111], or control-flow point- affecting security. We perform a case study on control-flow integrity ers [8]. However, these defenses need to maintain runtime metadata against multiple benchmark suites, and demonstrate that HQ-CFI about memory, which must be protected from unintended access. achieves a significant improvement in correctness, effectiveness, Past work has explored various approaches for partitioning pro- and performance compared to prior work. gram subcomponents, which can be used to isolate these metadata. However, software-based mechanisms impose significant overhead, CCS CONCEPTS reduce compatibility, or rely on hiding information. Disjoint ad- • Security and privacy ! Software security engineering; • dress spaces [39, 70, 86] reconfigures the memory management unit Computer systems organization ! Processors and memory (MMU) to isolate physical memory, but it adds overhead by flush- architectures; • Software and its engineering ! Operating ing the translation lookaside buffer (TLB) on each context switch. systems; Message passing. Software fault isolation [109] (SFI) must mask all pointers to be effective, which requires recompilation of existing shared libraries. Permission to make digital or hard copies of part or all of this work for personal or Information hiding has low overhead, but relies on randomization classroom use is granted without fee provided that copies are not made or distributed of program code or layout, which is vulnerable to disclosure at- for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. tacks [92, 95, 97]. For all other uses, contact the owner/author(s). Hardware-based fine-grained instruction monitoring [9, 28, 35, ASPLOS ’21, April 19–23, 2021, Virtual, USA 44]) takes a different approach by modifying the processor to gen- © 2021 Copyright held by the owner/author(s). ACM ISBN 978-1-4503-8317-2/21/04. erate, filter, and process execution events (e.g., retired instructions, https://doi.org/10.1145/3445814.3446736 function calls, memory accesses, etc.) in isolated hardware. Research ASPLOS ’21, April 19–23, 2021, Virtual, USA Daming D. Chen, Wen Shih Lim, Mohammad Bakhshalipour, Phillip B. Gibbons, James C. Hoe, and Bryan Parno Table 1: Comparison of HerQules against hardware-based (3a) MSG: System-Call fine-grained instruction monitoring designs. (2b) MSG: Check(p, v) System-Call … Δ Design Events Recipient Paradigm HW (2a) MSG: Create(p, v) Check(p, v) FADE [44] HW/SW Core Filter-Update Big Create(p, v) FlexCore [35] HW/SW FPGA Reconfigure Big Guardian Council [9] HW/SW `Cores Filter-Map-Reduce Big (1a) Enable HerQules runtime LBA [28] HW/SW Core Filter-Update Big (4a) Parse messages (3b) Perform syscall Processor Trace [6] HW/SW Memory Filter-Update – HerQules SW Core Message Passing Small (1b) Notify new process proposals include adding a similarly-sized core [28, 44], an on-chip (4b) Allow syscall FPGA [35], or multiple microcontroller-sized cores (`Cores) [9], as shown in Table1. However, these designs require significant microarchitectural changes, and generate fixed hardware-defined Figure 1: Overview of interactions under HerQules. events that may not always be useful, but nevertheless incur both energy and logic costs. For example, under FADE [44], 84–99% of all events must ultimately be discarded as irrelevant. Guardian Coun- (CFI), which protects a program’s execution integrity by verify- cil [9] suffers from similar load balancing challenges, as anywhere ing control-flow transitions at runtime. Specifically, we develop between 2–24 `Cores are needed to reduce overhead below 5%, two new fine-grained pointer integrity designs, which are max- depending on the security policy being enforced. imally precise, do not suffer from the undecidability of pointer Recent commodity Intel processors include built-in support for aliasing [41, 88], and incorporate novel compiler optimizations. Processor Trace [6] (PT), which stores hardware performance mon- Compared to past work [30, 62, 63, 74], our designs maintain pro- itoring events in memory, and can support software-defined events gram correctness, preserve library compatibility, and add detection via a PTWRITE instruction. However, although it has been used of use-after-free errors on control-flow pointers, while minimizing for instruction monitoring by past security policy enforcement overhead, as shown in Table3. We evaluate the correctness, effec- designs [37, 45, 53, 71], it is not designed as a security mecha- tiveness, and performance of our designs on the SPEC CPU2006 [55], nism, and thus suffers from numerous flaws. Hardware-defined SPEC CPU2017 [22], RIPE [90, 110], and NGINX [98] benchmarks. events do not provide sufficient execution context, which forces Our results demonstrate the successful execution of all benchmarks, these designs to reconstruct control-flow by disassembling pro- and the discovery of new use-after-free bugs in the SPEC bench- gram binaries, which adds complexity and overhead. Event packets marks. Our fastest design prevents all but one type of exploit with can be lost or overwritten due to, e.g., performance monitoring a geometric mean overhead of 14.4%, whereas our comprehensive interrupt skid [6], which defeats security. Tracing and decoding design prevents all exploits at the cost of increased overhead, which of events incur tremendous overhead, measuring over 500x [71] improves over past work. on the SPEC benchmarks. As a workaround, these designs must We summarize our contributions as follows: limit which events are monitored (e.g., monitoring only 7-10 system calls—execve, mmap, etc.), which greatly reduces effectiveness (espe- • We observe that software-based program partitioning lacks effi- cially since these system calls are rarely used in compute-intensive cient isolation, whereas hardware-based instruction monitoring programs like SPEC benchmarks). is overly complex, and instead propose a simple new Append- In this paper, we observe that prior software-based approaches Write IPC primitive (§2.3), which we implement in both an